How to upload php shell on website
|
When we hack a web server, we usually want to be able to control it in order to download files or further exploit it. There are many websites that let you upload files such as avatar pictures that don't take the proper security measures. In this series, I will be showing you how to gain root access to such a web server. For part 1, we will be trying to upload a PHP file that allows us to control the system. We are going to need Nmap for this part of the tutorial. For this tutorial, I have setup a vulnerable server on my network. Let's scan it. Nmap found two open ports: 80 and 22, so we know that the server has both HTTP and SSH services. At this point, we could use Hydra to crack the root password on SSH, but that is not the point of this tutorial. Let's visit the webpage... Step 2: Upload AttemptLet's view the upload page... The form tells us that the file must be either a .jpeg, a .jpg, or a .png file. But, just in case, we'll try to upload a malicious PHP file. Darn it. It doesn't upload. But what if we add our malicious code to the Exif data of a picture file? Step 3: Backdooring an ImageIn order to upload our shell, we need to use a legitimate picture file. In order to get our code to run, we need to add the PHP code to the Exif data. Enter this command: exiftool -Comment=" The \$_GET'cmd'); code is what reads our command, and the _halt_compiler(); prevents the file-checking system from reading on with the binary data. Now PHP code that let's us run commands is backdoored into the comments. Rename the file to picture.php.jpeg so that the website is forced to process the PHP code. Step 4: Trying AgainNow, let's upload our backdoored file. Yes! It worked! Now we can use commands to control it with our web browser. Look! We were able to get system info! Until Next Time...Now that we have control over the system, we will be looking for ways to upload our payload to the server next, and hopefully get an interactive shell. C|H of C3 Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals. Buy Now (90% off) > Other worthwhile deals to check out:
Hellow geeks! In this article we’ll learn about how to hack any website and get root access using shell scripts. We’ll target any file uploading areas in websites we’ll tamper it’s code. So after you read this article you’ll know about 1. How HTTP methods work against code? 2. How to tamper HTTP request using simple Firefox plugins 3.How to get the shell which you have already uploaded into site directory. So guys let’s start one by one… 1. HTTP request and Response(HTTP SESSIONS)As you know the websites uses several web servers and it uses HTTP protocol to transmit all the data this methodology is called HTTP SESSIONS. Although it is TCPbased but it is a stateless protocol because it executes 2 or more commands simultaneously. So it’s a stateless. HTTP can be put into a state position only when it has a good and secured validation and cookies, sessions management. So we’ll use some HTTP session vulnerability to hack a website by uploading shells . What is Shell?A shell is a written code which is basically a website a server side code which is encoded with Base64 type of encoding techniques. What the shell does is, as soon it’s stored on the any directory of the server it opens a backdoor to our computer or one who opens the backdoor. The backdoor transfers the full control over the HTTP server and all it’s directory including root and also the Database servers like PHPmyadminand other. The shell may be PHP, ASP, JSP or any of the server side languages. 2. How to tamper HTTP request using simple Firefox plugins?As I’ve mentioned HTTP is a connectionless protocol. we can Tamperthe HTTP requests and we can Bypass the Server side code Validation. First StageAt first what we have to do is Download FireFoxPlugin for doing HTTP request tamper. Live HTTP Headers Plugins Here in this tool you have to install it and enable it at firefox startup. Then go to victim website find any File Uploading area. As you’ve .php extension shell with you so there will be a restriction to upload only image files which have extensions like .png or.jpg etc What you have to do for bypassing validation is you have to use Live HTTP header addon to change it’s extension. First do your shell double extension. (Ex: shell.php to shell.php.png) Then press Submit. Once the file uploaded to the directory which has been specified by the Server side code you have to open the HTTP Live header addon find the Contentbar click on that then you will get another popupwindow there you should change your file name to normal .php extension and press on Replaybutton. So now your file successfully uploaded to the server.  3. How to find the location of the shell which you’ve been uploaded and access the shell?After you’ve been uploaded the shell to any unknown directory which is specified in it’s server side code. That location you may not be knowing but all you know is the file name. It is enough to find your shell. Go for any Web Crawlers or Fullzer tools and search by name Here we’ve used OWASP-ZAP Tool to find it’s location. You can also use DirBuster tool to do this work. I hope this article was very useful and easy!.. Thank you .. We will discuss shell upload using File Staging process in my next part of this Web-hacking version. Thank you.. 🙂 |
